Feeds

Missiles-on-rooftops Brit spy Farr: UK gov can slurp your Facebook, Twitter ... What of it?

It's all 'external comms'... and we don't need a warrant

Secure remote control for conventional and virtual desktops

A top UK spy reckons British intelligence can legally snoop on Brits' Facebook posts and tweets because they’re classed as “external communications” – though he wouldn't confirm outright that his g-men had done so.

Charles Farr, director general of the Office for Security and Counter Terrorism, said that the UK government runs a legal programme of mass surveillance on Facebook, Twitter, Google, YouTube and other site users because everything people said or posted on these sites were external comms based on platforms in the US.

That makes the sites fair game for snooping by the intelligence services under the Regulation of Investigatory Powers Act (RIPA), he said. That law says that internal communications can only be intercepted under a warrant for a specific person or address when there is some suspicion of illegal activities. But external comms can be picked up any time, even when there are no grounds for a warrant.

In practice, Farr said, that means that an email sent by a Google user to a Hotmail user both located in the UK is an internal communication, even though it may have passed through a server in another country. However, searching Google, tweeting, posting things on Facebook and other internet activities that end up stored on any server outside Blighty are classed as "external".

“Within the British Islands, the government has sufficient control and considerable resources to investigate individuals and organisations and it is feasible to adopt an interception regime that requires either a particular person, or a set of premises, to be identified before interception can take place,” Farr said in defence of the policy.

“Outside the British Islands, the government does not have the same ability to identify either relevant individuals or premises… the government is in many cases not aware of the precise location and online identities of members of Al-Qaeda around the world or of cyber criminals, Taleban insurgents, proliferators of weapons of mass destruction or precursor chemicals or of other similar individuals or organisations whose activities pose a threat to national security, the prevention and detection of serious crime or the economic well-being of the United Kingdom.”

The former MI6 man also said that electronic messages over the internet could go by a nearly infinite number of routes, so the only practical thing for the government to do was to slurp as much online info as possible. If the intelligence services happened to hoover up some internal communications accidentally, they could just not look at them without a warrant.

“The only practical way in which the government can ensure that it is able to obtain at least a fraction of the type of communication in which it is interested is to provide for the interception of a large volume of communications and the subsequent selection of a small fraction of those communications for examination by the application of relevant sectors,” he said.

Farr released the policy statement in response to a legal challenge from bodies including Privacy International, Amnesty and the American Civil Liberties Union, following the revelations from US whistleblower Edward Snowden about America’s PRISM surveillance programme and the alleged Brit equivalent Tempora.

The privacy campaigners argue the British government should reveal the full extent of Tempora, since the media has already made public documents about it. But Farr said that the alleged Tempora documents were no different to any other presumed leak, so he was sticking to the government’s policy of neither confirming nor denying them.

“I am not aware of any exceptional circumstances which would justify a departure from the neither confirm nor deny principle in relation to the alleged Tempora interception operation,” he said, adding that all he would say was that if it did exist, it would be legal.

But the campaigners said that by lumping platforms like Facebook, Twitter and YouTube into external comms, the government was denying UK citizens their rights.

“British residents are being deprived of the essential safeguards that would otherwise be applied to their communications - simply because they are using services that are based outside the UK,” Privacy International said in a statement.

It added that the some of the suggestions from Farr about why people shouldn’t be worried were laughable.

Farr said that folks shouldn’t be bothered about whether their communications were slurped up by spooks, only if they were then read or listened to or watched. He also said that even when analysts did happen to violate people’s privacy by accessing their internal communications in error, people shouldn’t worry because they’d probably forget what they saw anyway.

“Such an approach suggests that GCHQ believes it is entitled to indiscriminately intercept all communications in and out of the British Isles,” Privacy International said.

You can see Farr’s full statement hosted on the Privacy International website here (PDF). ®

Beginner's guide to SSL certificates

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.